Sommelier Protocol Team Weekly Update #11

Launch App

Sommelier Protocol Team Weekly Update #11

Welcome to the Protocol team update on the Sommelier Cellars release! This week we continue with Macro’s audit on the Aave cellar smart contract, the Cellar staking reward, and the team's delivery of Steward and Cellars release.

MACRO AUDIT METHODOLOGY

The purpose of this audit is to review the source code of `CellarStaking` and `AaveV2StablecoinCellar` Sommelier Cellar contracts and provide feedback on the design, architecture, and quality of the source code with an emphasis on validating the correctness and security of the software in its entirety.

Macro performed a thorough manual review of the code, checking that the code matched up with the specification, as well as the spirit of the contract (i.e. the intended behavior). During this manual review portion of the audit, they primarily searched for security vulnerabilities, unwanted behavior vulnerabilities, and problems with systems of incentives.

Next, they performed the automated portion of the review consisting of assessing the quality of the test suite and evaluating the results of various symbolic execution tools against the code. Finally, a final line-by-line inspection of the code was done, including comments –in an effort to find any minor issues with code quality, documentation, or best practices.

RESULTS AND FINDINGS FROM THE MACRO AUDIT

In the first review of `AaveV2StablecoinCellar`, they found a significant number of issues originating from the use of inactive assets. The Sommelier team was already thinking of changing the approach of using inactive assets, and after seeing our reported issues, they diligently decided to take the time required to change the approach they were taking. After the approach changed, we proceeded with our second review.

The results of the second audit showed one high and three medium vulnerabilities, along with a number of informational notes and gas optimizations. All issues were alleviated. The high-level vulnerability related to the staking contract, and overpayment of incentives to old stakers when new reward cycles were begun. All medium issues related to the cellar itself, and covered fee accounting (non-user facing functionality) and edge cases regarding fee-on-transfer tokens.

Beyond the high and medium-severity issues, Macro reported a handful of informational and code quality improvements. Gas optimizations were implemented where they did not significantly affect contract logic. Other informational issues were either addressed or deemed “won’t fix”, with explanations of acknowledgement included in the report.

WHAT DOES THIS AUDIT MEAN FOR THE SOMMELIER PROTOCOL TEAM

Following both audits, the Sommelier team implemented patches for these findings based on the recommendations by Macro. Several strengths were noted during the review, such as well-structured code and project files that enhance UX and maintenance, well-designed smart contracts that clearly define access rights, custom explanations of verification errors, and the use of an up-to-date compiler.

This audit and fixing of the security risks have enabled the protocol team to prepare for Sommelier’s first Cellar launch. To this effect, a proposal draft to authorize a one-time transfer of SOMM from the community pool to the CellarStaking contract, which is used to incentivize cellar depositors on Ethereum Mainnet. These funds will be used for an incentive program for depositors into Sommelier’s inaugural AAVE V2 Stablecoin Cellar. The tokens prescribed by the program will be distributed pro rata to users on Ethereum Mainnet who elect to bond aave2-CLR-S in Sommelier’s staking contract.

To learn more about Sommelier, please visit https://sommelier.finance/
To participate in the community, please join the Telegram group https://t.me/getsomm.
To follow the project on Github, please star the project https://github.com/PeggyJV/sommelier.